WhatsApp found to breach Dutch and Canadian privacy laws

A joint investigation by Canadian and Dutch officials has determined that popular mobile messaging program WhatsApp violates privacy laws of both countries. The problem is that the application, which lets users text each other over the internet in order to circumvent carrier texting charges, requires users to grant it access to their entire address book and not just the contacts who use it.

Jacob Kohnstamm, chairman of the Dutch Data Protection Authority, said in a statement:

"The address book contains phone numbers of both users and non-users. This lack of choice contravenes (Dutch and Canadian) privacy law."

The iOS 6 version of WhatsApp lets users add contacts manually, avoiding such privacy issues. However, versions for Windows Phone, Android and Blackberry still require access to all contacts. WhatsApp, Inc., makers of the program, have reportedly committed to resolving the issue, but have not yet provided a timeline for doing so.

Last January, Canada's Office of the Privacy Commissioner conducted an investigation based on "reasonable grounds" that WhatsApp "collecting, using, disclosing and retaining personal information" in such a way that it was in violation of Canadian privacy law. Dutch officials joined in shortly after.

The report says that the investigation turned up other privacy concerns, which were quickly resolved by WhatsApp, Inc.

Messages between users were unencrypted at the start of the investigation, "leaving them prone to eavesdropping or interception, especially when sent through unprotected Wi-Fi networks." In response to the investigation, WhatsApp introduced encryption in September 2012.

WhatsApp generated passwords for message exchanges using information about the mobile devices involved that "can be relatively easily exposed," creating the risk that a third-party could send and receive messages on a user's behalf without them knowing. Password security was upgraded in the newest version of the app.

In a deserved pat on their own back, officials said that their cooperative effort "has led to WhatsApp making and committing to make further changes in order to better protect users’ personal information.” This is a win-win situation for consumers who want to keep their information private and for WhatsApp, who has demonstrated that they are willing to do the right thing to protect their customers.

Can't they instead upload a hashed version of the phone number, and compare it to hashed phone numbers of whatsapp users? Then they don't have to store/upload the phone numbers. Sounds like an easy fix.

Not really. While that works well for passwords where there is a very large possible set of input values, there's a relatively low number of phone numbers. It would be pretty trivial to map out all the hashes for phone numbers. It adds an extra step but doesn't realistically solve the problem.

Well, if it violated Dutch privacy laws, chances are it violates ALL privacy laws on the European Union since that sort of thing has been pretty much standardized around here. Let's see if other countries react or if this is just the Dutch being overprotective.

Though it's ironical isn't it? These "privacy" concerns comming from the same country with the famous Red Light District LOL

All I know is that I got a message from a random number asking if I wanted more messages, and told me to click on a link with my telephone number in.
I'm a little bit worried now that my number is floating around on the net - it's bad enough with my junk email :-o